└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Bloodhound-Cypher
  2 | BH Cypher Queries picked up from random places
  3 | 
  4 | ## Top Ten Users with Most Local Admin Rights
  5 | 
  6 | ```
  7 | MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) 
  8 | WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' 
  9 | AND NOT n.name='' 
 10 | WITH n, count(r) as rel_count order by rel_count desc 
 11 | LIMIT 10 
 12 | MATCH p=(m)<-[r:AdminTo]-(n) 
 13 | RETURN p
 14 | ```
 15 | 
 16 | ## Top Ten Computers with Most Sessions
 17 | 
 18 | ```
 19 | MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) 
 20 | WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' 
 21 | AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc 
 22 | LIMIT 10 
 23 | MATCH p=(m)-[r:HasSession]->(n) 
 24 | RETURN n,r,m
 25 | ```
 26 | 
 27 | ## Top Ten Users with Most Sessions
 28 | 
 29 | ```
 30 | MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) 
 31 | WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc 
 32 | LIMIT 10 
 33 | MATCH p=(m)-[r:HasSession]->(n) 
 34 | RETURN p
 35 | ```
 36 | 
 37 | ## Top Ten Computers with Most Admins
 38 | 
 39 | ```
 40 | MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) 
 41 | WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' 
 42 | AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc 
 43 | LIMIT 10 
 44 | MATCH p=(m)<-[r:AdminTo]-(n) 
 45 | RETURN p
 46 | ```
 47 | 
 48 | ## Return a list of users who have admin rights on at least one system either explicitly or through group membership
 49 | 
 50 | ```
 51 | MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
 52 | RETURN u.name
 53 | ```
 54 | 
 55 | ## Return username and number of computers that username is admin for, for top N users
 56 | 
 57 | ```
 58 | MATCH 
 59 | (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
 60 | WITH
 61 | U.name as n,
 62 | COUNT(DISTINCT(C)) as c 
 63 | RETURN n,c
 64 | ORDER BY c DESC
 65 | LIMIT 5
 66 | ```
 67 | 
 68 | ## Return username and number of computers that username is admin for, for top N users
 69 | 
 70 | ```
 71 | MATCH 
 72 | (G:Group)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
 73 | WITH
 74 | G.name as n,
 75 | COUNT(DISTINCT(C)) as c 
 76 | RETURN n,c
 77 | ORDER BY c DESC
 78 | LIMIT 5
 79 | ```
 80 | 
 81 | ## Show all users that are administrator on more than one machine
 82 | 
 83 | ```
 84 | MATCH 
 85 | (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
 86 | WITH
 87 | U.name as n,
 88 | COUNT(DISTINCT(C)) as c 
 89 | WHERE c>1
 90 | RETURN n
 91 | ORDER BY c DESC
 92 | ```
 93 | 
 94 | ## Show all users that are administrative on at least one machine, ranked by the number of machines they are admin on
 95 | 
 96 | ```
 97 | MATCH (u:User)
 98 | WITH u
 99 | OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer)
100 | WITH u,COUNT(c) as expAdmin
101 | OPTIONAL MATCH (u)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c:Computer)
102 | WHERE NOT (u)-[:AdminTo]->(c)
103 | WITH u,expAdmin,COUNT(DISTINCT(c)) as unrolledAdmin
104 | RETURN u.name,expAdmin,unrolledAdmin,expAdmin + unrolledAdmin as totalAdmin
105 | ORDER BY totalAdmin ASC
106 | ```
107 | 
108 | ## Return cross domain 'HasSession' relationships
109 | 
110 | ```
111 | MATCH p=((S:Computer)-[r:HasSession*1]->(T:User)) 
112 | WHERE NOT S.domain = T.domain
113 | RETURN p
114 | ```
115 | 
116 | ## Find all other Rights Domain Users shouldn't have
117 | 
118 | ```
119 | MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) 
120 | WHERE m.name STARTS WITH ‘DOMAIN USERS’ 
121 | RETURN p
122 | ```
123 | 
124 | ## List all Kerberoastable Accounts
125 | 
126 | ```
127 | MATCH (n:User)WHERE n.hasspn=true RETURN n
128 | ```
129 | 
130 | ## Show Kerberoastable high value targets
131 | 
132 | ```
133 | MATCH (n:User)-[r:MemberOf]->(g:Group) 
134 | WHERE g.highvalue=true AND n.hasspn=true 
135 | RETURN n, g, r
136 | ```
137 | 
138 | ## List Computers where DOMAIN USERS are Local Admin
139 | 
140 | ```
141 | MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) 
142 | WHERE m.name STARTS WITH ‘DOMAIN USERS’ 
143 | RETURN p
144 | ```
145 | 
146 | ## Find Workstations where DOMAIN USERS can RDP To
147 | 
148 | ```
149 | MATCH p=(g:Group)-[:CanRDP]->(c:Computer) 
150 | WHERE g.name STARTS WITH ‘DOMAIN USERS’ 
151 | AND NOT c.operatingsystem CONTAINS ‘Server’ 
152 | RETURN p
153 | ```
154 | 
155 | ## Find Servers where DOMAIN USERS can RDP To
156 | 
157 | ```
158 | MATCH p=(g:Group)-[:CanRDP]->(c:Computer) 
159 | WHERE g.name STARTS WITH ‘DOMAIN USERS’ AND c.operatingsystem CONTAINS ‘Server’ 
160 | RETURN p
161 | ```
162 | 
163 | ## ALL Path from DOMAIN USERS to High Value Targets
164 | 
165 | ```
166 | MATCH (g:Group) 
167 | WHERE g.name STARTS WITH 'DOMAIN USERS'  
168 | MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) 
169 | RETURN p
170 | ```
171 | 
172 | ## Shortest Path from DOMAIN USERS to High Value Targets
173 | 
174 | ```
175 | MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) 
176 | WHERE g.name STARTS WITH 'DOMAIN USERS' 
177 | RETURN p
178 | ```
179 | 
180 | ## Find specific OS
181 | 
182 | ```
183 | MATCH (n) WHERE n.operatingsystem =~ 'Windows XP.*' 
184 | RETURN n
185 | ```
186 | 


--------------------------------------------------------------------------------